On 7/9/2014 4:31 PM, David Severance wrote:
Although my openssl version supports these things I can seem to get
Panda Imap 2010 to offer them when tested with testssl.sh. Does anyone
have any insight into this issue or experience getting this to work?
BTW where is the continued development work on Panda Imap post Mark
occurring?
thanks,
David
I've had some success in answering my own question with some research
into the code. I'm using CentOS so I've only looked into the src osdep
unix subdirectory to make changes to the ssl_unix.c file. It seems the
logic that selects the SSL method argument for the SSL_CTX_new call is
using the TLSv1_client_method which doesn't support later TLS versions.
Interestingly the logic selects SSLv23_client_method if it's working on
the fixed SSL port I believe. By changing the method used when the logic
selects TLS to use the SSLv23_client_method instead of
TLSv1_client_method I am presented with TLS v1.1 and TLS v1.2 options
when I test using testssl.sh. Combining this with an updated
SSLCIPHERLIST definition and security is improved greatly.
I'm sure the logic could be cleaned up further but I made the minimal
change necessary to avoid creating future problems in the code. Here's a
diff -u output:
--- ssl_unix.c.orig 2014-08-15 15:51:08.000000000 -0700
+++ ssl_unix.c.new 2014-08-15 15:51:45.000000000 -0700
@@ -53,7 +53,7 @@
* ports (e.g., 993 for IMAP, 995 for POP3) and using TLS exclusively.
*/
-#define SSLCIPHERLIST "ALL:!SSLv2:!ADH:!EXP:!LOW"
+#define SSLCIPHERLIST
"ALL:!ADH:!EXPORT:!SSLv2:!NULL:!DES:!RC4:+HIGH:+MEDIUM:@STRENGTH"
/* SSL I/O stream */
@@ -234,7 +234,7 @@
if (ssl_last_error) fs_give ((void **) &ssl_last_error);
ssl_last_host = host;
if (!(stream->context = SSL_CTX_new ((flags & NET_TLSCLIENT) ?
- TLSv1_client_method () :
+ SSLv23_client_method () :
SSLv23_client_method ())))
return "SSL context failed";
SSL_CTX_set_options (stream->context,0);
@@ -717,7 +717,7 @@
}
/* create context */
if (!(stream->context = SSL_CTX_new (start_tls ?
- TLSv1_server_method () :
+ SSLv23_server_method () :
SSLv23_server_method ())))
syslog (LOG_ALERT,"Unable to create SSL context, host=%.80s",
tcp_clienthost ())
I still have no idea on how to get it to offer DHE ciphers to support
PFS. It's not really my background but if anyone has some pointers on
where or what to look for I'd appreciate it. Anyway I figured I'd share
what I have. Constructive comments welcome.
thanks,
David
--
David Severance
Enterprise Unix Services
Office of Information Technology
(949) 824-7552
s...@uci.edu
_______________________________________________
Imap-uw mailing list
Imap-uw@u.washington.edu
http://mailman13.u.washington.edu/mailman/listinfo/imap-uw